Privacy policy

General Data Protection Regulation Policy

Pursuant to the General Data Protection Regulation 2016/679, applicable as of May 25th 2018, the following shall apply:

1. Principles of Data Protection
1.1 All staff shall have regard to, and observe, the principles of data protection (“the Principles”), as contained in Article 5 of the data protection legislation;
1.2 Compliance with the Principles shall include ensuring that personal data is:
a) Processed lawfully, fairly and in a transparent manner in relation to individuals;
b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard for the purposes for which they are processed, are erased or rectified without delay;
e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest;
f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

2. Lawful Processing
2.1 Martin Cray & Co shall process data lawfully, in accordance with the specific and informed consent of data subjects as granted within the written terms of business (“the Terms”).
2.2 Such Terms shall provide the purposes for which data is held and shall explicitly make reference to the data subject’s ability to withdraw consent according to the Principle of transparency.
2.3 Where the data collected relates to a child under 16 years of age, processing shall be legitimately conducted with the consent of an individual who holds parental responsibility for the subject child.
2.4 Where a third party is engaged in the processing and storage of data controlled by Martin Cray & Co, consent shall be obtained to cover the processing activities carried out by the said third party.
2.5 Consent of data subjects shall be reviewed from time to time as necessary and shall be documented within the central GDPR compliance file.

3. Special Category Data
3.1 The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be processed as necessary in accordance with Article 9 of the regulation, namely pursuant to the establishment, exercise or defence of legal claims.
3.2 Where the special category data relates to criminal convictions, allegations or proceedings, Article 10 of the regulation shall apply and data shall be processed within the specific legal authorisation of the Data Protection Bill 2017 (“the Bill”).

4. Rights of the Data Subject
4.1 Martin Cray & Co shall take appropriate measures to uphold the fundamental rights and freedoms afforded to data subjects under the regulation, including the following:
a) The right to be informed;
b) The right of access;
c) The right to rectification;
d) The right to erasure;
e) The right to restrict processing;
f) The right to data portability;
g) The right to object; and
h) Rights in relation to automated decision making and profiling.

Right to Information
4.2 Privacy information shall be provided within Martin Cray & Co.’s standard terms of business, including, but not limited to, the purposes of processing; the retention periods for personal data; the rights available to individuals in respect of the processing; the recipients of personal data and the right to withdraw consent to the processing of personal data.

Right of Access
Individuals have the right to access their personal data – this is commonly termed ‘subject access’. The right of access shall be limited to:
a) Confirmation that we hold personal data;
b) a copy of said data; and
c) Other supplementary information

4.3 An individual is only entitled to their own personal data, and not to information relating to other people. Care must be taken to establish whether the information requested falls within the definition of personal data.
4.4 Subject to the reasonable administrative fees of Martin Cray & Co, written access requests submitted by data subjects shall be duly responded to in no more than one month from the date of receipt.
4.5 Where the access request is particularly large, Martin Cray & Co reserve the right to request specification from the data subject as to which data the request relates.

Right to Rectification
4.6 Pursuant to the Principle of accuracy, data subjects shall have the right to rectification of data processed under the terms of business. This right shall additionally apply to personal data which is incomplete.
4.7 Provided requests for rectification are submitted either written or verbally, Martin Cray & Co. shall respond no later than one month from date of receipt.
4.8 If there are grounds for extension to the response period, this shall be communicated with explanation to the individual without delay.

Right to Erasure
4.9 Article 17 of the regulation provides data subjects with the right to erasure of personal data without undue delay and emplaces an obligation upon the controller to erase such personal data without undue delay in the following circumstances:
a) Where the personal data is no longer necessary for the purpose which you originally collected or processed it for;
b) Where a data subject withdraws their consent to processing of personal data;
c) Where the data has been unlawfully processed;
d) Erasure is required to comply with a legal requirement.

4.10 Where data has been disclosed to others or made public in an online environment, steps must be taken to inform the data subject of the erasure.
4.11 The rights afforded under Article 17 shall not apply to the extent that processing is necessary:
a) For exercising the right of freedom of expression of information;
b) For compliance with a legal obligation;
c) For performance of a task carried out in the public interest or in the exercise of official authority;
d) For archiving purposes in the public interest; or
e) For establishment, exercise or defence of legal claims.

4.12 Where a request for erasure is to be refused, explanation should be offered to the data
subject without delay and, in any event, no later than one month following receipt of the
request.

Right to Restrict Processing
4.13 Article 18 of the Regulation guarantees data subjects a right to restrict the processing of their personal data in the following circumstances:
a) Where the individual contests the accuracy of their personal data and you are taking steps to verify this;
b) Where data has been processed in breach of Principle 1 of Article 5 and the individual opposes erasure and requests restriction instead;
c) Where you no longer need the personal data but the individual needs you to keep it in order to establish, exercise or defend a legal claim; or
d) Where the individual has objected to you processing their data under Article 21(1), and you are considering whether your legitimate grounds override those of the individual.

4.14 The Article 18 right to restrict processing may also be raised upon:
a) A challenge to accuracy of personal data as per clause 4.5 above; or
b) An objection raised under article 21(1) to the processing of data.

It will therefore be necessary to restrict processing as a matter of best practice when considering accuracy of data or the legitimate grounds upon which it is processed.
4.15 Where personal data has been restricted under Article 18, notification must be made
without delay to Martin Cray & Co’s third party processors to ensure that no further
processing of the data is conducted in breach of Principle 1 of Article 5. Where possible,
attempts should be made to remove user access to the subject data during the period of restriction.

Right to Data Portability
4.16 The right to data portability gives individuals the right to receive a copy of personal data they have provided to Martin Cray & Co. It also gives them the right to request such data to be transmitted directly to another controller.
4.17 Data portability rights are confined to data which is processed by automated means (ie excluding paper files).
4.18 The rights and freedoms of third parties must be considered where personal data transmitted would include information pertaining to a third party.
4.19 Where data is transmitted to a third party controller, in accordance with a data subject request, Martin Cray & Co shall retain no responsibility for the subsequent processing of such data.
4.20 Data should be transmitted in common, structured and machine readable format. Best practice may include the use of spreadsheet documents in the delivery of data.
4.21 Where data is received by way of a data portability request, Martin Cray & Co shall take reasonable steps to ensure such data is not excessive in relation to the purposes for which it is processed. Consideration shall also be had as to whether the transmission includes data pertaining to third parties.

Right to Object
4.22 Article 21 of the regulation gives individuals the right to object to the processing of their personal data. The right only applies in the following circumstances:
a) Where the purpose of processing is for direct marketing purposes – this is absolute;
b) In all other circumstances, the data subject should provide specific reasons why they are objecting to the processing of their data.

Where Martin Cray & Co receives an objection to the processing of personal data, and has no grounds to refuse, the processing of such data must stop.
Identification of Data Subject Requests

4.23 Requests made by data subjects under the foregoing provisions need not be made in prescribed forms – requests can be made either in writing or verbally to the controller.
4.24 Requests shall be deemed effective where they are communicated with sufficient clarity, regardless of whether the regulations are explicitly referred to.
4.25 The identification of data subject requests, and the speed with which they are facilitated, shall be imperative to compliance with the regulation. In absence of exceptional circumstances, Martin Cray & Co shall respond to subject access requests within the scope of Articles 12-23 no later than 1 month from the date on which the request was made.

5. Duties of Martin Cray & Co.
Further to the Principle of accountability, Martin Cray & Co shall ensure compliance, and demonstrate the same, through the following:
a) Implementing data protection policies;
b) Putting written contracts in place with organisations that process personal data on behalf of Martin Cray & Co;
c) Reviewing and, where necessary, updating security measures designed to safeguard compliance taking into consideration the advancement of technology and the sensitivity of the data which is to be safeguarded;
d) Creation of a culture of privacy across its organisation;
e) Taking a ‘Data Protection by Design and Default’ approach.

5.1 Data protection by design and default provides that, at all stages of processing of personal data, steps must be taken to ensure data protection. Compliance shall be effected by the following practices: password protecting unattended computers; placing restrictions on user status for the purposes of access to data subject particulars; monitoring of processing activities, data sharing and retention.
5.2 By agreement between Quill Pinpoint Limited (“the Processor”) and Martin Cray & Co (“the Controller”), the regulations, particularly Article 28, have been incorporated into the service user agreement dated 31st May 2013 (“the Contract”).

Documentation
5.3 Processing activities, and the results of any information audits shall be documented in a ‘processing log book’ which can be found electronically on the firm network.
5.4 Special category data and criminal conviction offence data shall be documented with regard to the relevant condition for processing (contained in the Data Protection Bill); the lawful basis for our processing; and how personal data is retained or erased.
5.5 As a small organisation, Martin Cray & Co shall document processing activities which:
a) Are not occasional;
b) Could result in a risk to the rights and freedoms of individuals; or
c) Involve the processing of special categories of data or criminal conviction and offence
data.

5.6 The processing log shall be compliant with Article 30 insofar as it details the name and
contact details of Martin Cray & Co and any third party Processors; the purposes of processing; the categories of individuals and categories of data; categories of recipients of
personal data (where appropriate); details of transfers to third countries; retention schedules and details of technical and organizational security measures.

6. Security
6.1 Martin Cray & Co shall implement security measures as necessary to protect the personal data it controls including the use of alarm systems, door locks, and supervision of visitors.
6.2 Where data is no longer being processed, but archived in accordance with Article 5 of the Regulation, it shall be secured offsite in a location operated by Martin Cray & Co.
6.3 The destruction of physical data shall be facilitated by routine shredding throughout the office.
6.4 Recovery of personal data held on Martin Cray & Co systems shall be effected by a combination of back-up software implemented on all desktop devices; dedicated network drives and by contract with all Processors of Martin Cray & Co data – a copy of Quill Pinpoint Ltd’s ‘cyber security’, ‘business continuity’ and ‘disaster recovery’ plans can be found in the office ‘GDPR compliance file’.

7. Personal Data Breaches
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
7.1 Where a personal data breach is likely to result in detriment to the rights and freedoms of data subjects, the ICO must be notified without delay – not later than 72 hours after the incident.
7.2 Where the conclusion is that no such notification need be made, as the risks are not made out, you must be able to justify this decision. The incident must be documented and submitted in detail to the GDPR compliance file.
7.3 Third party processors of data are under an obligation to notify Martin Cray & Co without undue delay where they suffer a breach. Controllers may ultimately be liable for third party breaches. As such, a proactive approach must be taken whenever processing activities cause breach.

In addition to this privacy policy, staff should familiarise themselves with the guidance documents contained within the central GDPR folder on network ‘nt’. A hard copy of all documents shall be kept in the middle office cabinet.